Pages

Wednesday, 6 June 2012

6 keys to SSL and choosing the right cloud provider

Cloud computing is quickly changing the IT landscape, perhaps most prominently in healthcare.

But, according to a recent whitepaper by digital certificate provider GeoTrust, cloud services also pose "significant potential risks for enterprises that must safeguard corporate information assets while complying with a myriad of industry and government regulations."

With that said, GeoTrust helped outline six keys to understanding SSL and choosing the right cloud provider for you.

Although there are obvious benefits of cloud technology, compliance and data privacy have slowed enterprise adoption, according to the report. "An IDC survey of IT executives reveals that security is the #1 challenge facing IT cloud services," it read. The report added that Gartner Research identified seven specific areas of security risk associated with enterprise cloud computing, and organizations should consider several of them when selecting a provider. They include access privileges, regulatory compliance, data location, and monitoring and reporting. "To reap the benefits of cloud computing without increasing security and compliance risks, enterprises must ensure they work only with trusted service providers that can address these and other cloud security challenges," it read. "What's more, when enterprises move from using just one cloud-based service to using several from different providers, they must manage all these issues across multiple operators."

2. Learn the ins and outs of SSL. Secure socket layer (SSL) is a security protocol used by Web browsers and servers to help users protect data during transfer. According to the report, it is the standard for establishing trusted exchanges of information over the Internet. "Without the ubiquity of SSL, any trust over the Internet simply would not be possible," it read. SSL delivers two services that help solve some cloud security issues, such as SSL encryption and establishing a trusted server and domain. Understanding the "SSL handshake," said the report, means knowing the importance of public and private key pairs as well as verified identification information. "[I]t can begin a secure session that protects data privacy and integrity," the report read.

3. Take steps to ensure data segregation and secure access. Data segregation risks are "ever-present" in cloud storage, according to the report. "With traditional onsite storage, the business owner controls both exactly where the data is located and exactly who can access it," it read. "In a cloud environment, that scenario is fundamentally changed; the cloud service provider controls here the servers and the data are located." But a proper implementation of SSL can secure sensitive data. To ensure this, the report advised a potential cloud provider should provide three things: encryption, authentication, and certificate validity. "Businesses should require their cloud provider to use a combination of SSL and servers that support … 128-bit session encryption," it read. "[They] also should demand that sever ownership be authenticated before one bit of data transfers between servers."

4. Keep regulatory compliance in mind. "When it comes to secure and confidential data, businesses are burdened with a slew of regulations," read the report, with HIPAA being the most notable for healthcare organizations. "When an organization outsources IT to a cloud service provider, the organization is still responsible for maintaining compliance with [HIPAA] and any other applicable regulations – and possibly more depending on where the servers and the data are at any given moment." The report mentioned since the enterprise IT manager can't rely solely on the cloud provider to meet requirements, he/she should require the provider to seek some compliance oversight. "Cloud computing providers who refuse to undergo external audits and security certifications are signaling that customers can only use them for the most trivial functions," the report read.

5. Know that not all SSL is created equal. The "chain of trust" when employing a cloud provider should also extend to their security provider, according to the report. "The cloud vendor's security is only as good as the reliability of the security technology they use," it read. Furthermore, organizations need to make sure their cloud provider uses an SSL certificate that can't be hacked. In addition to ensuring the SSL comes from an authorized third party, they should demand security requirements such as a certificate authority that safeguards its global roots, a certificate authority that maintains a disaster recovery backup, a chained hierarchy supporting their SSL certificated, global roots using new encryption standards, and secure hashing using the SHA-1 standard, "to ensure that the content of certificated can't be tampered with."

6. In the end, go with what you know. "SSL is a proven technology and a keystone of cloud security," the report read. "When an enterprise selects a cloud computing provider, the enterprise should consider the security options selected by that cloud provider." Knowing that a cloud provider uses SSL, said the report, can go a long way toward establishing confidence. Also, when selecting a cloud service provider, enterprises should be very clear with their partners regarding handling and mitigation of risk factors not addressable by SSL. "Cloud providers should be using SSL from an established, reliable and secure independent certificate authority," it read.